Berkeley Law Releases Its First Web Privacy Census

New submitter DeeEff writes "The first report in the University of California, Berkeley Law School's quarterly Web Privacy Census was released on Tuesday, and it shows that popular Web sites are far more aggressive in their consumer tracking practices than most people suspect, and that consumers are trapped in an escalating privacy crisis with limited control over their personal information. Most interestingly noted in the article is that twice the amount of sites are using HTML5 storage as opposed to last year, while Flash Cookies are dying down, as we should expect. It also appears that third-party tracking seems to dominate most sites, such as from Google, Facebook, and other large players."

The rest are details.

[Johann+Lau]

By the way, if anyone here is in advertising or marketing, kill yourself.

Just a little thought. I'm just trying to plant seeds. Maybe one day, they'll take root. I don't know. You try. You do what you can. Kill yourself.

Seriously, though. If you are, do. No, really. There's no rationalisation for what you do, and you are Satan's little helpers, okay? Kill yourself. Seriously. You are the ruiner of all things good, seriously. No, this is not a joke, if you're going: "There's going to be a joke coming." There's no fucking joke coming. You are Satan's spawn, filling the world with bile and garbage. You are fucked, and you are fucking us. Kill yourself, it's the only way to save your fucking soul. Kill yourself. Planting seeds.

I know all the marketing people are going: "He's doing a joke." There's no joke here whatsoever. Suck a tail-pipe, fucking hang yourself, borrow a gun from a Yank friend - I don't care how you do it. Rid the world of your evil fucking machinations.

I know what all the marketing people are thinking right now, too. "Oh, you know what Bill's doing? He's going for that anti-marketing dollar. That's a good market, he's very smart." Oh man. I am not doing that, you fucking evil scumbags! "Oh, you know what Bill's doing now? He's going for the righteous indignation dollar. That's a big dollar. Lot of people are feeling that indignation, we've done research. Huge market. He's doing a good thing." God damn it, I'm not doing that, you scumbags. Quit putting a goddamn dollar sign on every fucking thing on this planet! "Oh, the anger dollar. Huge. Huge in times of recession. Giant market, Bill's very bright to do that." God, I'm just caught in a fucking web. "Oh, the trapped dollar. Big dollar, huge dollar. Good market, look at our research. We see that many people feel trapped. If we play to that and then separate them into the trapped dollar ..."

How do you live like that? And I bet you sleep like fucking babies at night, don't you? "What did you do today, honey?" "Oh, we made arsenic childhood food. Now, good night. Yeah, we just said, you know, is your baby really too loud? You know ... yeah, the mums will love it, yeah." Sleep like fucking children, don't you? This is your world, isn't it?

-- Bill Hicks

Not as simple as "use Tor!"

[betterunixthanunix]

Yes, I know, someone is going to say, "Use Tor!" -- and I would have said the same thing not so long ago. Yet this is more complicated than just deploying privacy enhancing technologies.

We are talking about companies that have teams of hackers and computer scientists who are paid to find ways to break technical measures of protecting privacy. Substantial effort is needed to fight back, and most people are not willing to do the sorts of things that would be needed to protect their privacy. Disabling Flash, Silverlight, Java, and Javascript? Disabling cookies? These things make using the web very difficult these days, and as if that were not enough, there are malicious Tor exits that look for passwords and credit card data -- leaving users dependent on the very websites that are violating their privacy to protect it (by enabling TLS).

So unless someone has figured out a way to compel everyone to stop installing every trendy plugin, to give up on trendy Javascript-heavy websites, and to demand TLS from every website they connect to, we need to put some legal restrictions on data collection in places. Yes, I know, the big bad government interfering with business, but let's put it this way: do you want the big bad government to have access to vast logs of user activity (which is the next step after the corporations collect it -- the government either asks politely, demands it, or covertly acquires it)?

Which leaves us at the heart of the problem: the only organization in our society with the power needed to stop this has an interest in promoting it.

Re:Not as simple as "use Tor!"

These things make using the web very difficult these days

Do they really though? People keep saying that, but I've never seen it. I don't enable ANY of that shit by default. I whitelist a few sites like yahoo or my local bank, and that's it. Everything seems quite fine honestly, and much, much, much less annoying. When I look at the web on other people's computers who don't do that, it just looks entirely unusable. There's shit popping up over things you're trying to read, shit moving all around the screen to distract you, ... it's unusable.

I think it's exactly the reverse of what you say. The web is very difficult to use WITHOUT disabling javascript, flash, and silverlight.

Cookies, yeah, but you can immediately reject 3rd party cookies with no problems, and others, you can turn into session cookies.

Ghostery. Right away.

[gestalt_n_pepper]

Installing ghostery is the first thing I do now when I install a browser. You'll find that you can't interact with a lot of sites, or write comments on them if their tracking software is off, which gives you a good list of sites to stay away from.

Re:Ghostery. Right away.

[Jah-Wren+Ryel]

Installing ghostery is the first thing I do now when I install a browser. You'll find that you can't interact with a lot of sites, or write comments on them if their tracking software is off, which gives you a good list of sites to stay away from.

I've bee using ghostery for what feels like forever and I have run across less than 5 sites that would not function without turning ghostery off.

I can't say for the commenting part though because practically no website allows anonymous comments any more and I refuse to create an account just for a one-off comment and won't even go near facebook for regular use, much less as a global-login.

Re:Ghostery. Right away.

[Jah-Wren+Ryel]

The only alternative I can thing of is a browser appliance (virtual machine), for each major service.

I've been thinking along those lines too. What I would like to see is an extension for firefox that spoofs and/or configures all of that stuff based on the URL in the current tab.

For example, if the URL includes facebook.com you get one profile and if you are browsing google.com you get another. The profile would include things like:

unique browser-agent
unique cookies (of all sorts)
unique bogus X-Forwarded-For http header
unique adblock exception list
unique set of accepted content-types
etc - basically everything one can possible use to fingerprint a browser

The RequestPolicy extension is the closest I've seen to that and it is still a long ways away. But what it does is let you define a list of exceptions based on the current URL, so if you are browsing google, you can pull in stuff from googleapis.com but if you are somewhere else, googleapis.com will be blocked.

NoScript

[doas777]

This is exactly why I use noscript. I persistently block googleadservices.com, doubleclick.net, etc, but I like that Noscripts protects me from the 3rd party listeners by default but in a granular way.

Re:I miss the good old days...

When privacy meant not using your real name online?

If you go back even further, everyone was using their real names online. In the 1970's and the first part of the 80's on (then) arpanet, the standard was to use your real name, and be "fingerable" to discover even more data about you such as your phone number and such. (I know, because I remember those times). But there weren't entire organizations hell bent on logging everything you did, so in that sense, it was far more private even if your data could be discovered by anyone. It was not yet an "evil" internet, and in that sense, yes, I miss the good old days. The pre-evil days.

I blame every single person who joined the internet after about 1990. It was fine before the epic influx of clueless people. With the original internet population, none of this tracking shit would have worked. We'd have run those places off the damned net, stopped patronizing them, and blocked their attempts to track us. But the clueless legions that started to appear.... the stupid overwhelmed the smart.

Re:people don't get this

[Johann+Lau]

The way to preserve your privacy is to not leak the data in the first place. If you do, and your privacy WILL be violated.

Kinda like going outside unarmed will get you robbed and killed, unless we make that illegal and enforce the law -- which doesn't completely stop it, but kinda helps. But let's drop that rape culture "blaming the victim" shit, yeah?

Also, there's no way to not "leak", say, your IP address. So much for "you don't HAVE to accept those cookies, run those scripts, leak your user-agent, or anything else." That's bullshit even for geeks, doubly so for non-geeks.

Re:people don't get this

[Johann+Lau]

Good point about chaining, but still... that's like asking me wether I'd rather like hepatitis or AIDS!

Of course I would prefer hepatitis, but ideally, I would prefer icecream to both. And by that I mean legislation that a.) actually addresses the issue and b.) actually gets enforced. I know that's asking a lot, it's utterly naive seeing how everybody is in bed with everybody; but the thing is, as long as a good chunk of the people who are are technically literate think it doesn't affect them, because they have ways around it, those voices are lacking, which makes the whole thing even less likely to happen. It's a web meme thing that annoys me since the days of gnutella... "they can't catch me" "they can't catch us all", "hax0rs will always find a way" etc.... it strikes me selfish at best, and cowardly at worst.

I'm not saying you can't take steps to make it harder to track you, I'm saying your grandma can't. Neither can little kids. Neither can 99% of the adults. So y u no angry? Statistically insignificant outliers are just that, you know... and no tyranny had or has 100% coverage and total control, not even the worst you could mention, so IMHO that is never a reason to shrug something off. It could be worse, but it should be better.

Personally, I went real name a long time ago and haven't looked back since. Anyone who collects data on me simply burdens themselves with something they then have to hide from me. But I'm nuts, and most people aren't exhbitionists of hate like me. So their mileage varies, and that's why I care. Don't ask for whom the bell tolls, it tolls for thee, and all that...

Re:I miss the good old days... Privacy vs Net

[WillAffleckUW]

Actually, the net works very well for privacy. If you have secure websites with encyrption and specific usernames and logins and don't tell anyone about it, it works quite well.

The problem arises when they want to make THAT public.

It's my Internet. It wasn't made for you non-techies. You were an afterthought.

HTML5 storage?

[gr8_phk]

Isn't HTML5 storage that shit where they just dump data in a database on YOUR machine? Fuck figuring out who you are and matching shit up - just store it all on your own machine bit by bit and glurb it all in as needed. The problem is these fucking standards shitbags enabling all this. First it was cookies, now it's a full blown local database. Oh, and they can read enough info to identify the machine (recent Orbitz story?) because MSIE6 and other browsers couldn't implement the standards well enough and webdevs had to have more information about your setup just to make shit work.

Just to be clear, the web can work with zero client side storage just by giving a site visitor a GUID embedded in every link - yes this requires the server to then inject the GUID dynamically into every page served, but who gives a shit when half the pages are dynamically created anyway? It wasn't easy in 1993, but today it would be trivial. Can someone please build a framework that makes this simple so we can turn off cookies and still have a "session"?

and no, this is NOT a complete solution to privacy issues by any means - just a start - get peoples machines to stop betraying them.

Re:people don't get this

[Johann+Lau]

The important part is that Google and a million tracking sites don't have it - you know, the places that are the actual problem being discussed?

The actual problem being discusssed is people who use the web being tracked. Not people who browse through a gazillion proxies being able to evade that, provided the following is true:

The proxy sites I use have no known history of ever selling that data to advertizers

Not that you have any way to check, do you. What does "no known history" mean? That if they sold data, it would have become known? That's silly.

Also, if 80% instead of, say 0.8% percent of all people would use proxies, and without any legislation that proclaims their right to do that sacrosanct, you'd see a huge ramp up in honey pots (not that you'd SEE it heh) and whatnot. In other words, you're not anonymous because nobody can get at you, but mostly because so many people aren't, nobody is even trying (hard) to get at you. It's just not worth the effort -- yet. Your data is worth as much as the data of others, it's much harder to get, so they pass, for now.

Since I love Nazi comparisons: go for the weak first, consolidate your power using them, then use that power to overcome the rest. It's Nazi/Business 101, really, and Godwin can shut the fuck up. First they came for grandma, but I was using proxies, so I didn't stand up. Then they came for noobs, but I was leet, so I didn't stand up. Then suddenly my PC broke, and the only new ones I could get only had a huge "soma" button in the middle of the screen... which is when it dawned on me that my sense of superiority and security was uncalled for and played right into the hands of those who planted it there, and that technical solutions can't solve human problems in the long run.

The entire chain (which changes from session to session) would have to be compromised BY GOOGLE and similar commercial trackers (the topic of TFA). Is Google doing that? If you have evidence they are, please present it.

Wait, I know, I'll simply use your awesome logic: They have no known history of not doing that. If that kind of evidence is good enough for you, it's good enough for me :P